OAuth 2.1

OAuth 2.1 is an authorization framework that allows users to grant third-party applications access to their data without sharing passwords. It consolidates the best practices from OAuth 2.0 and its security extensions (PKCE, token binding, refresh token rotation) into a single, simplified specification. FieldMCP uses OAuth 2.1 as its sole authentication mechanism.

How OAuth 2.1 Works in FieldMCP

FieldMCP implements a two-hop PKCE authorization flow:

Client to FieldMCP — Your AI application redirects the user to FieldMCP's /authorize endpoint with a PKCE code challenge. FieldMCP validates the request and initiates the upstream authorization.
FieldMCP to John Deere — FieldMCP redirects the user to John Deere's Okta identity provider. The user signs in with their John Deere credentials and grants consent.
Callback chain — John Deere redirects back to FieldMCP's /oauth/callback, which exchanges the authorization code for tokens. FieldMCP then issues its own tokens to your application.

Token Types

Access tokens — ES256-signed JWTs with a 1-hour expiry, audience-restricted to the MCP endpoint. Passed as Bearer tokens in the Authorization header.
Refresh tokens — Opaque 32-byte tokens, SHA-256 hashed before storage. Used to obtain new access tokens without re-prompting the user.

Why OAuth 2.1 (Not API Keys)

FieldMCP previously supported API keys but removed them entirely. OAuth 2.1 provides:

Scoped access — Tokens are restricted to specific permissions, not blanket access
Automatic expiry — Compromised tokens stop working after 1 hour
User consent — The data owner explicitly approves each application's access
Auditability — Token issuance and refresh events create a clear access trail

Verifying Tokens

FieldMCP publishes its public signing key at /.well-known/jwks.json. If you need to verify access tokens independently, fetch the JWKS and validate the ES256 signature, expiry, and audience claims.

How OAuth 2.1 Works in FieldMCP

FieldMCP implements a two-hop PKCE authorization flow:

Client to FieldMCP — Your AI application redirects the user to FieldMCP's /authorize endpoint with a PKCE code challenge. FieldMCP validates the request and initiates the upstream authorization.
FieldMCP to John Deere — FieldMCP redirects the user to John Deere's Okta identity provider. The user signs in with their John Deere credentials and grants consent.
Callback chain — John Deere redirects back to FieldMCP's /oauth/callback, which exchanges the authorization code for tokens. FieldMCP then issues its own tokens to your application.

Token Types

Access tokens — ES256-signed JWTs with a 1-hour expiry, audience-restricted to the MCP endpoint. Passed as Bearer tokens in the Authorization header.
Refresh tokens — Opaque 32-byte tokens, SHA-256 hashed before storage. Used to obtain new access tokens without re-prompting the user.

Why OAuth 2.1 (Not API Keys)

FieldMCP previously supported API keys but removed them entirely. OAuth 2.1 provides:

Scoped access — Tokens are restricted to specific permissions, not blanket access
Automatic expiry — Compromised tokens stop working after 1 hour
User consent — The data owner explicitly approves each application's access
Auditability — Token issuance and refresh events create a clear access trail

Verifying Tokens

FieldMCP publishes its public signing key at /.well-known/jwks.json. If you need to verify access tokens independently, fetch the JWKS and validate the ES256 signature, expiry, and audience claims.

OAuth 2.1

How OAuth 2.1 Works in FieldMCP

Token Types

Why OAuth 2.1 (Not API Keys)

Verifying Tokens

Further Reading

OAuth 2.1

How OAuth 2.1 Works in FieldMCP

Token Types

Why OAuth 2.1 (Not API Keys)

Verifying Tokens

Further Reading